I need to share information with my team, like passwords and credit card numbers.

The needs are pretty minimal -- just an encrypted "spreadsheet". Keepass is potentially a solution but

the user interface is horrible (all command-line would be fine)

It doesn't allow individual user access and revocation

it requires a master password that is shared by many

CPM seems to be what I'm looking for, it solves the above three problems, but it hasn't been maintained in a few years so I haven't looked into it too deeply yet. However maybe it doesn't matter that it's not maintained, because the underlying security is handled by GPG which of course is maintained.

6 Answers
6

Why don't use an OpenPGP implementation?
Which one will depend which one is available for your systems, check in your package list.

Many mail clients integrate it (thunderbird, evolution, ...), and you can update the public keys to a public key server (I'd recommend exchange them on a USB driver though, or using a known secure data transfer protocol and being careful).
Once it's setup in the mail clients, it will work out of the box, nothing to do...

In your case you might want to exchange the private key with everyone, surely you won't be able to exchange it by mail in clear text, you'll bite your tail. So it's the same problem, but you'll have to deal with it once and then your done.

Or you could send them the encrypted file and you would tell them the password via another communication system (phone, letter), unless your infrastructure is seriously compromised, it should guaranty a adequate level of security. Actually that's what banks do when you ask them to send you your online banking password, they won't tell it to you on the phone or by email but instead mail it to you in a old fashion way.

EDIT: please note that email are really unsafe, if a mailbox is compromised in the future, it will let the attacker access all the private files and passwords. Be sure to transmit critical data on a non-resilient support.

Not sure I understand -- with what you describe, will I be able to revoke individual user access without having to change a master password/key? Do you know of any guides on the web describing the workflow you are talking about? Thanks!!
–
John BachirMar 2 '12 at 20:00

1

I might have misunderstood you! If you want to revoke access, then each should have a private/public key pair. You send them the files with the mail client and it will use their associated public keys. If someone leaves the team, just don't send him the message and he won't be able to decipher it. I think it might be different as your situation seems very specific. These are generic guide lines, adapt them to fit your needs!
–
AkiMar 2 '12 at 20:51

Yeah, it would be handy of there were some sort of central DB that required authentication to access, and then I could revoke access, all based on public keys. Yes, I know that for a complete security implementation I should then change all the info that the person previously had access to. But for my purposes, stopping ongoing access is fine.
–
John BachirMar 2 '12 at 21:35

1

If you want a central DB and revoke access, look around openssh server. Add public keys to ~/.ssh/authorized_keys and remove the keys of unwanted users by hand. They can use sftp (winscp on windows) to access the files. You can add a comment to each public key in the file to remember the user associated with it. It's easy to implement and does just what you seem to want
–
AkiMar 3 '12 at 7:24

Hmm, I guess SSH does control access as well as anything else. But here I'd still want the data encrypted on the disk and would still have to share a master password with multiple people.
–
John BachirMar 3 '12 at 18:31

If command-line is acceptable, you could probably turn up an SUID script / program in reasonably short time. Alternately, you could establish some sort of client / server application. If authorized, return data is a pretty straight-forward scheme and one I'd normally suggest simply writing something for.

However, a cursory look at CPM makes it look like a good piece of work. Besides that, the source code is available to you and presumably under a free license. I'd say run with it.

If you're on MacOS, how about using Keychain Access with a shard keychain file? Put the keychain file on a shared drive/dropbox or some other thing like that. I wish other software like 1Password would allow to share passwords, but they only allow one file so you either share all your passwords or none. Keychain Access allows to separate different passwords into different files.

I'm the developer of Team Password Manager (http://teampasswordmanager.com), a commercial web based tool to solve this exact problem. Passwords are grouped into projects and access to projects (and thus passwords) can be given at the user level. It's a downloadable php based app so you keep all your data. There's also a limited free version with 2 users and 5 projects.

Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.
–
Scott PackOct 21 '12 at 2:55

@Scott, the question was "what other solutions are out there" so I don't know what more there is to "the essential parts of the answer." I don't want to turn this site into a promotional flyer for commercial products like LastPass. Feel free to embellish my answer if you like.
–
Major MajorOct 21 '12 at 21:49

Where are you the rest of the team? I know in the UK there are legal restrictions (Data Protections Act) that means that you should not transfer sensitive data outside of the UK etc, or should be transferred to secure areas. You need to think about any legal impacts before you decide on which solution to pick. (http://www.legislation.gov.uk/ukpga/1998/29/contents)

Personally I wouldn't recommend outsourcing to the cloud on information like this as you can't outsource the risk and if the cloud provider ever gets compromised it is all your fault, there's some legislation from the US, Sarbanes–Oxley, that can also get you in some trouble even in the UK on this matter.

Therefore I would go for some PGP, maybe OpenPGP as already stated. You can adapt this solution to not just cover sensitive data but also all your communications keeping you a little safer.